package com.amazon.redshift.plugin;

import com.amazon.redshift.CredentialsHolder;
import com.amazon.redshift.IPlugin;
import com.amazon.redshift.core.PGJDBCPropertyKey;
import com.amazon.redshift.ssl.NonValidatingFactory;
import com.amazonaws.SdkClientException;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.AnonymousAWSCredentials;
import com.amazonaws.auth.BasicSessionCredentials;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
import com.amazonaws.services.securitytoken.model.AssumeRoleWithSAMLRequest;
import com.amazonaws.services.securitytoken.model.Credentials;
import com.amazonaws.util.Base64;
import com.amazonaws.util.StringUtils;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathExpressionException;
import javax.xml.xpath.XPathFactory;
import org.apache.http.client.config.CookieSpecs;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.impl.client.LaxRedirectStrategy;
import org.joda.time.DateTimeConstants;
import org.w3c.dom.Document;
import org.w3c.dom.NodeList;
import org.xml.sax.SAXException;

/* loaded from: input_file:RedshiftJDBCImplementation4.jar:com/amazon/redshift/plugin/SamlCredentialsProvider.class */
public abstract class SamlCredentialsProvider implements IPlugin {
    protected static final String KEY_IDP_HOST = "idp_host";
    private static final String KEY_IDP_PORT = "idp_port";
    private static final String KEY_DURATION = "duration";
    private static final String KEY_PREFERRED_ROLE = "preferred_role";
    private static final String KEY_SSL_INSECURE = "ssl_insecure";
    protected String m_userName;
    protected String m_password;
    protected String m_idpHost;
    protected int m_idpPort = 443;
    protected int m_duration;
    protected String m_preferredRole;
    protected boolean m_sslInsecure;
    protected String m_dbUser;
    protected String m_dbGroups;
    protected Boolean m_autoCreate;
    protected String m_region;
    private static Map<String, CredentialsHolder> m_cache = new HashMap();

    protected abstract String getSamlAssertion() throws IOException;

    @Override // com.amazon.redshift.IPlugin
    public void addParameter(String str, String str2) {
        if ("UID".equalsIgnoreCase(str) || PGJDBCPropertyKey.USERNAME_ALT.equalsIgnoreCase(str)) {
            this.m_userName = str2;
            return;
        }
        if ("PWD".equalsIgnoreCase(str) || PGJDBCPropertyKey.PASSWORD_ALT.equalsIgnoreCase(str)) {
            this.m_password = str2;
            return;
        }
        if (KEY_IDP_HOST.equalsIgnoreCase(str)) {
            this.m_idpHost = str2;
            return;
        }
        if (KEY_IDP_PORT.equalsIgnoreCase(str)) {
            this.m_idpPort = Integer.parseInt(str2);
            return;
        }
        if (KEY_DURATION.equalsIgnoreCase(str)) {
            this.m_duration = Integer.parseInt(str2);
            return;
        }
        if (KEY_PREFERRED_ROLE.equalsIgnoreCase(str)) {
            this.m_preferredRole = str2;
            return;
        }
        if (KEY_SSL_INSECURE.equalsIgnoreCase(str)) {
            this.m_sslInsecure = Boolean.parseBoolean(str2);
            return;
        }
        if (PGJDBCPropertyKey.DB_USER.equalsIgnoreCase(str)) {
            this.m_dbUser = str2;
            return;
        }
        if (PGJDBCPropertyKey.DB_GROUPS.equalsIgnoreCase(str)) {
            this.m_dbGroups = str2;
        } else if (PGJDBCPropertyKey.USER_AUTOCREATE.equalsIgnoreCase(str)) {
            this.m_autoCreate = Boolean.valueOf(str2);
        } else if (PGJDBCPropertyKey.AWS_REGION.equalsIgnoreCase(str)) {
            this.m_region = str2;
        }
    }

    @Override // com.amazonaws.auth.AWSCredentialsProvider
    public CredentialsHolder getCredentials() {
        String cacheKey = getCacheKey();
        CredentialsHolder credentialsHolder = m_cache.get(cacheKey);
        if (credentialsHolder == null || credentialsHolder.isExpired()) {
            refresh();
        }
        CredentialsHolder credentialsHolder2 = m_cache.get(cacheKey);
        if (credentialsHolder2 == null) {
            throw new SdkClientException("Unable to load AWS credentials from ADFS");
        }
        return credentialsHolder2;
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // com.amazonaws.auth.AWSCredentialsProvider
    public void refresh() {
        String str;
        String str2;
        try {
            Pattern compile = Pattern.compile("arn:aws:iam::\\d*:saml-provider/\\S+");
            Pattern compile2 = Pattern.compile("arn:aws:iam::\\d*:role/\\S+");
            String samlAssertion = getSamlAssertion();
            Document parse = parse(Base64.decode(samlAssertion));
            NodeList nodeList = (NodeList) XPathFactory.newInstance().newXPath().compile("//Attribute[@Name='https://aws.amazon.com/SAML/Attributes/Role']/AttributeValue/text()").evaluate(parse, XPathConstants.NODESET);
            HashMap hashMap = new HashMap();
            if (nodeList != null) {
                for (int i = 0; i < nodeList.getLength(); i++) {
                    String[] split = nodeList.item(i).getNodeValue().split(StringUtils.COMMA_SEPARATOR);
                    if (split.length >= 2) {
                        String str3 = null;
                        String str4 = null;
                        for (String str5 : split) {
                            Matcher matcher = compile.matcher(str5);
                            if (matcher.find()) {
                                str3 = matcher.group(0);
                            } else {
                                Matcher matcher2 = compile2.matcher(str5);
                                if (matcher2.find()) {
                                    str4 = matcher2.group(0);
                                }
                            }
                        }
                        if (!StringUtils.isNullOrEmpty(str4) && !StringUtils.isNullOrEmpty(str3)) {
                            hashMap.put(str4, str3);
                        }
                    }
                }
            }
            if (hashMap.isEmpty()) {
                throw new SdkClientException("No role found in SamlAssertion: " + samlAssertion);
            }
            if (this.m_preferredRole != null) {
                str = this.m_preferredRole;
                str2 = (String) hashMap.get(this.m_preferredRole);
                if (str2 == null) {
                    throw new SdkClientException("Preferred role not found in SamlAssertion: " + samlAssertion);
                }
            } else {
                Map.Entry entry = (Map.Entry) hashMap.entrySet().iterator().next();
                str = (String) entry.getKey();
                str2 = (String) entry.getValue();
            }
            AssumeRoleWithSAMLRequest assumeRoleWithSAMLRequest = new AssumeRoleWithSAMLRequest();
            assumeRoleWithSAMLRequest.setSAMLAssertion(samlAssertion);
            assumeRoleWithSAMLRequest.setRoleArn(str);
            assumeRoleWithSAMLRequest.setPrincipalArn(str2);
            if (this.m_duration > 0) {
                assumeRoleWithSAMLRequest.setDurationSeconds(Integer.valueOf(this.m_duration));
            }
            AWSStaticCredentialsProvider aWSStaticCredentialsProvider = new AWSStaticCredentialsProvider(new AnonymousAWSCredentials());
            AWSSecurityTokenServiceClientBuilder standard = AWSSecurityTokenServiceClientBuilder.standard();
            standard.setRegion(this.m_region);
            Credentials credentials = ((AWSSecurityTokenServiceClientBuilder) standard.withCredentials(aWSStaticCredentialsProvider)).build().assumeRoleWithSAML(assumeRoleWithSAMLRequest).getCredentials();
            CredentialsHolder newInstance = CredentialsHolder.newInstance(new BasicSessionCredentials(credentials.getAccessKeyId(), credentials.getSecretAccessKey(), credentials.getSessionToken()), credentials.getExpiration());
            newInstance.setMetadata(readMetadata(parse));
            m_cache.put(getCacheKey(), newInstance);
        } catch (IOException e) {
            throw new SdkClientException("SAML error: " + e.getMessage(), e);
        } catch (ParserConfigurationException e2) {
            throw new SdkClientException("SAML error: " + e2.getMessage(), e2);
        } catch (XPathExpressionException e3) {
            throw new SdkClientException("SAML error: " + e3.getMessage(), e3);
        } catch (SAXException e4) {
            throw new SdkClientException("SAML error: " + e4.getMessage(), e4);
        }
    }

    private String getCacheKey() {
        return this.m_userName + this.m_password + this.m_idpHost + this.m_idpPort + this.m_duration + this.m_preferredRole;
    }

    private CredentialsHolder.IamMetadata readMetadata(Document document) throws XPathExpressionException {
        CredentialsHolder.IamMetadata iamMetadata = new CredentialsHolder.IamMetadata();
        XPath newXPath = XPathFactory.newInstance().newXPath();
        List<String> GetSAMLAttributeValues = GetSAMLAttributeValues(newXPath, document, "https://redshift.amazon.com/SAML/Attributes/DbUser");
        if (GetSAMLAttributeValues.isEmpty()) {
            List<String> GetSAMLAttributeValues2 = GetSAMLAttributeValues(newXPath, document, "https://aws.amazon.com/SAML/Attributes/RoleSessionName");
            if (!GetSAMLAttributeValues2.isEmpty()) {
                iamMetadata.setDbUser(GetSAMLAttributeValues2.get(0));
            }
        } else {
            iamMetadata.setDbUser(GetSAMLAttributeValues.get(0));
        }
        List<String> GetSAMLAttributeValues3 = GetSAMLAttributeValues(newXPath, document, "https://redshift.amazon.com/SAML/Attributes/AutoCreate");
        if (!GetSAMLAttributeValues3.isEmpty()) {
            iamMetadata.setAutoCreate(Boolean.valueOf(GetSAMLAttributeValues3.get(0)));
        }
        List<String> GetSAMLAttributeValues4 = GetSAMLAttributeValues(newXPath, document, "https://redshift.amazon.com/SAML/Attributes/DbGroups");
        if (!GetSAMLAttributeValues4.isEmpty()) {
            StringBuilder sb = new StringBuilder();
            for (String str : GetSAMLAttributeValues4) {
                if (sb.length() > 0) {
                    sb.append(',');
                }
                sb.append(str);
            }
            iamMetadata.setDbGroups(sb.toString());
        }
        return iamMetadata;
    }

    private static Document parse(byte[] bArr) throws IOException, SAXException, ParserConfigurationException {
        return DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(new ByteArrayInputStream(bArr));
    }

    private static List<String> GetSAMLAttributeValues(XPath xPath, Document document, String str) throws XPathExpressionException {
        NodeList nodeList = (NodeList) xPath.compile(String.format("//Attribute[@Name='%s']/AttributeValue/text()", str)).evaluate(document, XPathConstants.NODESET);
        if (null == nodeList || nodeList.getLength() == 0) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList(nodeList.getLength());
        for (int i = 0; i < nodeList.getLength(); i++) {
            arrayList.add(nodeList.item(i).getNodeValue());
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public CloseableHttpClient getHttpClient() throws GeneralSecurityException {
        HttpClientBuilder redirectStrategy = HttpClients.custom().setDefaultRequestConfig(RequestConfig.custom().setSocketTimeout(DateTimeConstants.MILLIS_PER_MINUTE).setConnectTimeout(DateTimeConstants.MILLIS_PER_MINUTE).setExpectContinueEnabled(false).setCookieSpec(CookieSpecs.STANDARD).build()).setRedirectStrategy(new LaxRedirectStrategy());
        if (this.m_sslInsecure) {
            SSLContext sSLContext = SSLContext.getInstance("TLSv1.2");
            sSLContext.init(null, new TrustManager[]{new NonValidatingFactory()}, null);
            redirectStrategy.setSSLSocketFactory(new SSLConnectionSocketFactory(sSLContext.getSocketFactory(), new NoopHostnameVerifier()));
        }
        return redirectStrategy.build();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public List<String> getInputTagsfromHTML(String str) {
        ArrayList arrayList = new ArrayList();
        Matcher matcher = Pattern.compile(".*?<input.*?(.*).*?/>.*", 8).matcher(str);
        while (matcher.find()) {
            arrayList.add(matcher.group(0));
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getValueByKey(String str, String str2) {
        Matcher matcher = Pattern.compile("(" + Pattern.quote(str2) + ")\\s*=\\s*\"(.*?)\"").matcher(str);
        return matcher.find() ? matcher.group(2) : "";
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkRequiredParameters() throws IOException {
        if (StringUtils.isNullOrEmpty(this.m_userName)) {
            throw new IOException("Missing required property: user");
        }
        if (StringUtils.isNullOrEmpty(this.m_password)) {
            throw new IOException("Missing required property: password");
        }
        if (StringUtils.isNullOrEmpty(this.m_idpHost)) {
            throw new IOException("Missing required property: idp_host");
        }
    }
}
